"hdr" has been copied in from user space and "hdr.opcode" is checked.
The code copies it again. User space data between the two copies is
subject to modification if the user-space code is multithreaded and
malicious. The modification may invalidate the check. The fix avoids
copying the header from user space again.
Signed-off-by: Kangjie Lu <k...@umn.edu>
---
fs/coda/psdev.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c
index fb4d1c654773..248d21f84b54 100644
--- a/fs/coda/psdev.c
+++ b/fs/coda/psdev.c
@@ -174,7 +174,10 @@ static ssize_t coda_psdev_write(struct file *file, const
char __user *buf,
hdr.opcode, hdr.unique);
nbytes = req->uc_outSize; /* don't have more space! */
}
- if (copy_from_user(req->uc_data, buf, nbytes)) {
+ *((struct coda_in_hdr *)req->uc_data) = hdr;
+ if (copy_from_user(req->uc_data + sizeof(hdr),
+ buf + sizeof(hdr),
+ nbytes - sizeof(hdr))) {
req->uc_flags |= CODA_REQ_ABORT;
wake_up(&req->uc_sleep);
retval = -EFAULT;
--
2.17.2 (Apple Git-113)
